Privacy Policy

1. Who This Policy Applies To

This policy applies to:

• Customers — individuals and organisations that create a bael.ai workspace and use the platform for recruitment
• Team members — individuals invited to join a Customer's workspace
• Visitors — anyone who visits bael.ai or our public-facing pages

This policy does not govern the personal data of job applicants who submit applications through a bael.ai-powered careers page. Applicant data is controlled by the employer (our Customer), who is solely responsible for their own applicant-facing Data Protection Notice. Gebeya processes Applicant Data only as a data processor on the Customer's behalf, as described in our Terms of Service.

2. What Data We Collect

2a. Account & Profile Data

When you create an account we collect:

• Name and email address (via Google OAuth)
• Profile photo (from your Google account, if provided)
• Workspace name and slug you create

2b. Usage & Activity Data

• Actions taken within the platform (jobs created, candidates added, pipeline stages moved)
• Feature usage — which tools and AI features you use, and how frequently
• Session timestamps, IP address, browser type, and device metadata (for security and debugging)

2c. Billing Data

• Subscription plan, billing cycle, and payment history
• Payment card details are never stored by Gebeya — all payment processing is handled exclusively by Stripe, a PCI-DSS-certified provider

2d. Integration Data

If you connect third-party services:

• Google (Gmail): OAuth access tokens scoped only to the permissions you explicitly grant. We do not read emails unrelated to recruitment.
• LinkedIn: OAuth tokens to publish job postings on your behalf

2e. Customer Content

Job descriptions, candidate profiles, pipeline notes, uploaded resumes, AI-generated content, and any other material you create, upload, or import while using the platform.

2f. Communications Data

If you contact us for support or submit feedback, we retain a record of that communication to help resolve your enquiry and improve our service.

3. How We Use Your Data

We use your data to:

• Provide the Service — create and manage your workspace, process your jobs and candidates, and operate all platform features
• Improve AI features — aggregated, anonymised usage patterns help us improve our AI models. We never use individually identifiable candidate data to train models without explicit consent.
• Process billing — manage subscriptions, invoices, and payment events via Stripe
• Send transactional communications — account invitations, billing receipts, and important service announcements
• Ensure security & prevent fraud — monitor for abuse, unauthorised access, and suspicious activity
• Comply with law — meet our legal obligations under applicable US federal and state law, including the Delaware Personal Data Privacy Act and the California Consumer Privacy Act (where applicable)
• Enforce our Terms — investigate and act on violations of our Terms of Service

We do not sell your personal data to third parties. We do not use your data for advertising or share it with data brokers.

4. Legal Basis for Processing

To the extent required by applicable law, we process your personal data on the following legal bases:

• Performance of a contract — processing necessary to provide the Service you signed up for and fulfil our obligations under the Terms of Service
• Legitimate interests — security monitoring, fraud prevention, service improvement, and enforcing our legal rights, where those interests are not overridden by your rights
• Legal obligation — where we are required to process or retain data to comply with applicable law (e.g., financial record-keeping)
• Consent — for optional third-party integrations (Google, LinkedIn) where you explicitly authorise access, and for any marketing communications. You may withdraw consent at any time.

5. Data Sharing & Sub-processors

We work with a small number of trusted third-party providers to operate the platform. Each sub-processor is bound by data processing agreements and handles your data only as instructed by us:

We do not share your personal data with any other third parties except: (a) where required by applicable law or valid legal process; (b) to protect the rights, property, or safety of Gebeya, its customers, or the public; or (c) in connection with a merger, acquisition, or sale of assets, in which case your data will remain subject to this Privacy Policy or a policy offering equivalent protections.

6. Data Security

Gebeya implements industry-standard technical and organisational security measures to protect your data, including:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Database access is enforced via Row Level Security (RLS) — each workspace can only access its own data
• File uploads are stored in private, access-controlled cloud storage
• OAuth tokens for third-party integrations are stored encrypted and never exposed client-side
• Automatic session expiry after periods of inactivity
• All administrative access to production systems is logged and audited
• Regular security assessments and dependency monitoring

While we use commercially reasonable measures to protect your data, no method of transmission or storage is 100% secure. In the event of a confirmed data breach affecting your personal data, we will notify you in accordance with applicable law.

If you discover a potential security vulnerability, please report it responsibly to support@gebeya.com. We acknowledge all reports within 48 hours.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy:

• Active accounts: data is retained for as long as your workspace is active
• After cancellation: workspace data is retained for 90 days to allow data export, then permanently and securely deleted
• Billing records: retained for 7 years as required by applicable financial regulations
• Security & audit logs: retained for 12 months for fraud prevention and incident investigation
• Support communications: retained for 2 years or until your account is deleted, whichever is earlier

You can export your Customer Data at any time from your workspace settings. To request earlier deletion of your personal data, contact us at support@gebeya.com.

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data. These include rights under the Delaware Personal Data Privacy Act, the California Consumer Privacy Act (CCPA/CPRA), and equivalent US state privacy laws:

• Right to Know / Access — request a copy of the personal data we hold about you and information about how we use it
• Right to Correct — request correction of inaccurate or incomplete personal data
• Right to Delete — request deletion of your personal data, subject to certain legal exceptions
• Right to Data Portability — receive your data in a structured, machine-readable format
• Right to Opt Out of Sale — we do not sell personal data, so this right is already satisfied
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights
• Right to Withdraw Consent — for processing based on consent (e.g., third-party integrations), you may withdraw at any time without affecting the lawfulness of prior processing
• Right to Object or Restrict — object to or request restriction of certain processing activities

To exercise any of these rights, submit a request to support@gebeya.com. We will respond within 45 days (extendable by a further 45 days for complex requests, with notice). We may need to verify your identity before processing your request. We do not charge a fee for reasonable requests.

California residents may also contact the California Privacy Protection Agency (CPPA) or the California Attorney General's office. Delaware residents may contact the Delaware Department of Justice if they believe their rights have been violated.

9. Cookies & Tracking

bael.ai uses minimal cookies, limited to what is necessary to operate the platform:

• Authentication cookies — to keep you signed in during your session (strictly necessary)
• Preference cookies — to remember UI settings such as your active workspace

We may use privacy-respecting analytics tools to understand aggregate usage patterns and improve the platform. Any such tools are configured to anonymise data and are not used for cross-site behavioural advertising.

We do not use advertising cookies or share tracking data with ad networks. You can clear cookies at any time via your browser settings, though this will sign you out of the platform.

10. International Data Transfers

Gebeya Inc. is incorporated and primarily operates in the United States. All data is stored and processed on infrastructure located in the USA. If you access bael.ai from outside the United States, your data will be transferred to and processed in the USA, which may have different data protection laws than your home country.

By using the Service, you consent to this transfer. We rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms where required by applicable law to legitimise cross-border transfers.

11. Children's Privacy

bael.ai is a professional recruitment platform intended for adults aged 18 and over. We do not knowingly collect or process personal data from individuals under 18 years of age. If you believe a minor has created an account or submitted personal data through our platform, please contact us immediately at support@gebeya.com and we will take prompt action to delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify you by email and display a prominent notice in the platform at least 14 days before the changes take effect. The updated policy will include a new version number and effective date at the top of this page. Continued use of bael.ai after the effective date constitutes your acceptance of the updated policy.

13. Contact Us

For all privacy-related enquiries, data subject requests, or questions about this policy, please contact:

• Email: support@gebeya.com
• Company: Gebeya Inc., incorporated in the State of Delaware, USA

We aim to respond to all privacy enquiries within 10 business days. If you are not satisfied with our response, you may escalate to the relevant data protection authority in your jurisdiction.